Method and system for lightweight key distribution in a wireless network

ABSTRACT

The method of distributed key control on the basis of the preliminary key distribution scheme, which method including, besides others, the steps of: forming a unique identifier of mesh-network node; recording the unique identifier into a local memory of the mesh-network node; forming an incidence matrix of the KEDYS scheme and an incidence matrix of trivial scheme; generating long-term private keys and recording them together with the corresponding column of the incidence matrix into the local memory of the mesh-network node and also into the local memory of controlling node of distributed center for controlling keys; recording the formed key block of the trivial scheme and a broadcasting key into the local memory of the controlling node of the distributed center for controlling keys; generating a start value of hash-chain and calculating its final value; recording an authenticator into the local memory of the mesh-network node; recording the start value of the hash-chain into the local memory of the controlling node of the distributed center for controlling keys; collating the identifier of a node being disconnected in a database and making decision on the disconnection; recording the identifier of the node being disconnected into the database; generating a session key; calculating the incidence matrix and coverage of the KEDYS scheme; encrypting the session key on paired keys of the trivial scheme or on the broadcasting key; encrypting the session key on the keys from the coverage, which are a part of the key block thereof; forming a broadcasting message for updating key blocks; delivering the broadcasting message for updating key blocks; receiving broadcasting message from the controlling node of distributed center for controlling keys; verifying the authenticity of the broadcasting message; decrypting the broadcasting message in order for obtaining a session key; updating the key block by means of the session key; calculating the column of the incidence matrix of the recipient node in accordance with the identifier thereof and forming the common private key on the basis of the column of the incidence matrix of the recipient node and the key block of the sender node; encrypting a valuable information on the common private key; forming a message on the basis of the received ciphertext; sending the formed message at the address of the recipient node; calculating the column of the incidence matrix of the sender node in accordance with the identifier thereof; forming the common private key on the basis of the column of the incidence matrix of the sender node and the key block of the recipient node; decrypting a valuable information on the common private key.

The invention relates to the telecommunications field, and more specifically to distribution and usage of the private key material in systems transmitting confidential information via public communications channels in the mesh-networks.

Intensive development of wireless technologies has permitted to formulate a series of new concepts, particularly the concept of wireless mesh-networks [1]. It is assumed that each node of mesh-network can perform functions of the router and be able to relay the incoming packets at the address in a situation, when the sender node and recipient node are not nearest neighbors, and, as consequence, cannot establish a direct connection. Thus, sender and recipient communicate via a chain of intermediate nodes, each of which nodes operates as the router. For designating such a method of interaction, English-language publications use the term “multi-hop connection”. Accordingly, the term “single-hop connection” is used for designating the method of interaction between adjacent nodes, when the direct connection is possible.

As a rule, a mesh-network topology is not given in advance and determined at the moment of the network deployment. Furthermore, the topology can vary in course of time, especially in those cases, when nodes possess the mobility. Mesh-networks could be associated to the self-organizing network category. Ideologically, mesh-networks are near ad hoc-networks. The principal difference is in that, within mesh-network, a special control infrastructure exists consisting of nodes with extended functionality, e.g., provided with several wireless interfaces. For designating such an infrastructure, English-language publications use the term “backbone”. Nodes forming the infrastructure are capable for establishing a direct connection (single-hop) with an arbitrary node of mesh-network. Moreover, such nodes have a computational resource of increased power and additional memory for storing great amounts of data. The main purpose of the infrastructure is in controlling the destination routing, particularly processing queries, working out optimal routes, eliminating collisions etc. nodes included in the infrastructure will be hereinafter called controlling.

Ensuring the information security, particularly rendering such security services as confidentiality, integrity and authenticity of the messages being transmitted is an important requirement, and without carrying-out this requirement the scope of problems being solved in practice contracts significantly. Said requirement gains a specific importance in going to wireless technologies, particularly because of vulnerability of data transmission channel. Hence, the above-listed security services must be guaranteed also in mesh-networks.

The main mechanism for ensuring security services is a cryptographic data transformation. In the mesh-network, the symmetric cryptography, i.e., the same key for encryption and decryption is applied. Such a selection is determined by a high computational labor intensity of other known cryptosystems, for example, asymmetric or two-key systems. Computational resource, as well as the memory volume, which belong to the mesh-network node (except for the controlling nodes) is insufficient for effective calculation/check of the digital signature by means of, e.g., the wide-spread RSA cryptoalgorithm [2]. Thus, in the mesh-networks, confidentiality, integrity and authenticity of the messages being transmitted is ensured using symmetric cryptosystems. The deliberated choice of one or another cryptosystem is a separate task. Since the spectrum of symmetric cryptosystems existing now is rather wide, the solution of such task seems to be simple.

Efficiency in applying cryptosystem depends substantially on the realized method for controlling keys. The approach popular in practice consists in creating special trusted center responsible for controlling the keys. The most important functions of such a center are in distributing and updating the key material. However such centralized approach is not free from disadvantages. For example, it is evident that operation of the mesh-network will be paralyzed as a result of capturing the center and compromising the database of the private keys.

In the preliminary key distribution scheme, the trusted center distributes private information, i.e., the so-called “key material” among a set of nodes. A portion of the key material is transmitted to a specific node via a private transmission channel during, for example, deployment of the network. The transmitted key material permits establishing the common private key for the pair of nodes. Examples of such scheme realization are described in the works [3], [4], [5], [6], [7], [8]. Use of preliminary key distribution schemes in ad hoc-network, as well as in sensor networks is described in detail in the works [9], [10], [11].

The closest to the claimed invention is the solution that has been basic in the US 2006/0023887[17], which describes the distributed key management and authentication system based on the techniques of symmetric cryptography and secret division for ad hoc networks. The disadvantage of this method is the high computational labor intensity.

The claimed invention is directed onto solving the task that consists in developing more effective method of distributed key control on the basis of the preliminary key distribution scheme in the mesh-networks.

When developing the claimed method, the authors started from the fact that controlling nodes are not only responsible for routing, but also perform key control. Intrinsically, the aggregate of controlling nodes forms the distributed center for controlling keys (DCCK). Herewith, the distributed control is understood in two ways. On the one hand, it is understood as distributed data storing, and on the other hand—as distributed decision making on the principle of voting.

The essence of the claimed technical solution consists in that the method of distributed key control on the basis of the preliminary key distribution scheme, which method including steps of:

-   -   forming, by an external registration center, a unique identifier         of mesh-network node;     -   recording, by the external registration center, the unique         identifier into a local memory of the mesh-network node;     -   forming, by a trusted center, an incidence matrix of the KEDYS         scheme;     -   forming, by the trusted center, an incidence matrix of trivial         scheme;     -   generating, by the trusted center, long-term private keys;     -   recording, by the trusted center, the formed key block of the         KEDYS scheme and the corresponding column of the incidence         matrix into the local memory of the mesh-network node;     -   recording, by the trusted center, the formed key block of the         KEDYS scheme and the corresponding column of the incidence         matrix into the local memory of control assembly of distributed         center for controlling keys;     -   recording, by the trusted center, the formed key block of the         trivial scheme and a broadcasting key into the local memory of         control assembly of distributed center for controlling keys;     -   generating, by the trusted center, a start value of a         hash-chain;     -   calculating, by the trusted center, a final value of the         hash-chain;     -   recording, by the trust center, an authenticator into the local         memory of the mesh-network node;     -   recording, by the trusted center, the start value of the         hash-chain into the local memory of controlling node of         distributed center for controlling keys;     -   collating, by the controlling node of distributed center for         controlling keys, the identifier of a node being disconnected in         a database and making decision on the disconnection;     -   recording, by the controlling node of distributed center for         controlling keys, the identifier of the node being disconnected         into the database;     -   generating, by the controlling node of distributed center for         controlling keys, a session key;     -   calculating, by the controlling node of distributed center for         controlling keys, the incidence matrix of the KEDYS scheme;     -   calculating, by the controlling node of distributed center for         controlling keys, a coverage;     -   encrypting, by the controlling node of distributed center for         controlling keys, the session key on paired keys of the trivial         scheme or on the broadcasting key;     -   delivering, by the controlling node of distributed center for         controlling keys, ciphertexts which are the session key         encrypted on the paired keys of the trivial scheme or on the         broadcasting key;     -   receiving, by the controlling node of distributed center for         controlling keys, ciphertexts which are the session key         encrypted on the long-term keys from the coverage;     -   encrypting, by the controlling node of distributed center for         controlling keys, the session key on the keys from the coverage,         which are a part of the key block thereof;     -   forming, by the controlling node of distributed center for         controlling keys, a broadcasting message for updating key         blocks;     -   delivering, by the controlling node of distributed center for         controlling keys, the broadcasting message for updating key         blocks;     -   receiving, by the mesh-network node, the broadcasting message         from the controlling node of distributed center for controlling         keys;     -   verifying, by the mesh-network node, the authenticity of the         broadcasting message;     -   decrypting, by the mesh-network node, the broadcasting message         in order for obtaining a session key;     -   updating, by the mesh-network node, the key block by means of         the session key;     -   calculating, by the sender node, the column of the incidence         matrix of the recipient node in accordance with the identifier         thereof;     -   forming, by the sender node, the common private key on the basis         of the column of the incidence matrix of the recipient node and         the key block of the sender node;     -   encrypting, by the sender node, a valuable information on the         common private key;     -   forming, by the sender node, a message on the basis of the         received ciphertext;     -   sending, by the sender node, the formed message at the address         of the recipient node;     -   receiving, by the recipient node, the formed message;     -   calculating, by the recipient node, the column of the incidence         matrix of the sender node in accordance with the identifier         thereof;     -   forming, by the recipient node, the common private key on the         basis of the column of the incidence matrix of the sender node         and the key block of the recipient node;     -   decrypting, by the recipient node, a valuable information on the         common private key.

The technical result is achieved by means of applying a new approach to the principle of distributed key control. Such an approach allows increasing the viability of mesh-network and ensures the guaranteed provision of security services in the case of capturing and disabling separate nodes including also the controlling ones.

As the base scheme in the claimed invention, the scheme KEDYS has been chosen, which scheme being described in the RU 2004103558 A1 titled “Key distribution system and method for operating thereof” [18], as well as the US 2005/0177751 A1 titled “Light-weight key distribution scheme in wireless network” [19].

Choice of this scheme is essential, since its unique properties allow realize effectively the distributed technique for controlling keys. However, it should be stressed that any other preliminary key distribution scheme with similar properties could be chosen instead of the KEDYS scheme.

The main advantages of the KEDYS scheme are as follows:

-   -   The scheme is easily scalable and applicable in mesh-networks         having an arbitrary number of nodes.     -   The computational labor intensity for building this scheme for         mesh-network having an arbitrary number of nodes is proportional         to the network size. During this building, binary logic         operations are used, as well as operations on integers of         limited digit capacity.     -   A technique for building this scheme is determinate, i.e., the         time of building depends only on a number of nodes in a         mesh-network and a labor intensity of the technique itself.     -   The scheme relates to the class of suboptimal ones: the total         number of long-term keys (hereinafter the key pool), as well as         the number of keys which is stored in the local memory of a         separate node (hereinafter the key block), is significantly less         than for other known schemes.     -   The scheme concedes key updating. A necessity in updating arises         every time some mesh-network nodes are captured and their keys         are compromised (hereinafter, compromised nodes). Updating is         possible due to existence of the so-called coverage. Coverage is         some subset of keys being a part of key blocks of all nodes         except for compromised ones. Coverage has a small size.         Procedure for searching a coverage has low computational labor         intensity.     -   The scheme concedes the distributed control of keys. A unique         property of this scheme is in a possibility for selecting key         blocks for the controlling nodes in such a way that they are         capable to form coalitions in order for searching the coverage.         A constructive method of acceptable labor intensity permits to         build the DCCK for a given number of nodes with a given number         of coalitions of certain power.

In essence, the KEDYS scheme is the plan of key distribution among the nodes of mesh-network. A binary incidence matrix is a convenient method for providing such a plan. Each matrix row is associated with a long-term key, and each matrix column is associated with a node. If the binary unit is disposed at the intersection of i-th row and j-th column, then the i-th key is involved into the key block of the j-th node. This means that each column of the incidence matrix determinate the plan for forming the key block of the separate node. A number of keys in the key pool is equal to a number of rows in the incidence matrix. Note that the key blocks are dispensed to unexceptionally all nodes including also the controlling ones.

It is assumed that the start key distribution is carried out using the trusted center (TC) at the stage of deploying the network. TC performs building the incidence matrix, generating the long-termed keys using the reliable random (or pseudorandom) number generator, forming the key blocks, as well as loading the key blocks into the local memory of mesh-network nodes.

As has been noted, the aggregate of the controlling nodes forms the DCCK. Below is given the description of the main mechanisms of the distributed control on the basis of the preliminary key distribution scheme. It should be noted that all mechanisms described below have the general nature and could be applied to any preliminary key distribution scheme. However, the optimal usage of the memory resource and communication channel bandwidth, as well as the low computational labor intensity are guaranteed only when using a scheme similar to the KEDYS scheme in its properties.

During interaction of the controlling keys, it is necessary o provide the confidentiality, integrity and authenticity of the messages being transmitted. Note that the size of the DCCK (the number of the controlling nodes) is substantially less than the size (the number of nodes) of the whole mesh-network. In order for ensuring the listed security services, let us use the trivial preliminary key distribution scheme. In such a scheme, a private key permitting to establish the secured interaction mode with any other controlling node is given to each controlling node, i.e., an arbitrary pair of the controlling nodes has the common private key. Thus, if N nodes is included into the DCCK, then each controlling node will store N−1 keys in the local memory. It should be noted that the choice of the trivial scheme for the DCCK is fully feasible, since N is small. And each controlling node possesses the sufficient memory resource.

Besides the paired keys of the trivial scheme and also keys of the scheme KEDYS, one more private key common for all nodes of the DCCK (hereinafter, broadcasting key) is included into the key block of each controlling node. This key is necessary for ensuring the secured interaction of the controlling nodes in the broadcasting mode, in accordance with the principle “one message for all”.

The controlling nodes form special messages (comprising, for example, routing tables, data for updating keys, etc.) and perform their delivery in the broadcasting mode. Each node of the mesh-network can receive and process such a message. However, the message will be received for processing only upon condition that its sender is the DCCK controlling node. In order for confirming the message authenticity it is proposed to use the single-use password scheme on hash-chains [13, 14, 15, 16]. To this end, each controlling node stores in the memory the start value of the hash-chain h₀. After that the cryptographic hash-function H(•) is applied in series n times, the final value of the hash-chain is formed:

$\left. \left. {\left. {h_{n} = {\underset{\underset{n\mspace{14mu} {times}}{1\mspace{25mu} 44\mspace{14mu} 2\mspace{25mu} 4\mspace{40mu} 43}}{H\left( {H\left( {\ldots \mspace{11mu} H\left( H \right.} \right.} \right.}\left( h_{0} \right)}} \right)\ldots}\mspace{11mu} \right) \right).$

This value together with n (the chain length) is recorded into the node local memory at the stage of deploying the mesh-network. In the operation mode, the controlling node (sender) calculates the intermediate value h_(n-1) of the hash-chain (resulting from n−1 iterations) and records it together with n into the broadcasting message being formed. In order for confirming/denying the authenticity of the received message, the mesh-network node (recipient) carries out verification H(h_(n-1))=h_(n). If the result is positive (equality is true), then the message is received to the further processing, and if not, then rejected. In the case of the positive decision, the recipient stores h_(n-1) and n−1 instead of h_(n) and n. When forming the next broadcasting message, the sender will use h_(n-2), and so on. The pair (h_(n-1), n−i) for the i-th broadcasting message will be named as authenticator.

All without distinction mesh-network nodes are invoked in the preliminary key distribution scheme and store in their local memory the key block consisting of the long-term private keys. As a consequence, each pair of nodes is capable for establishing the secured interaction mode. For this end, it is necessary to know the subset of the long-term keys involved in the intersection of the key blocks for the pair of nodes.

Let us assume that the nodes A and B establish the secured interaction mode. Keys from the intersection of the key blocks of the nodes A and B can be obtained by various ways. For example, the nodes can exchange the respective columns of the incidence matrix. The non-interactive technique seems to be the most effective, which technique consists in a direct calculation by the sender node the certain column of the incidence matrix, which column determinates the plan for forming the key block of the recipient node. In order for calculating the column, it is necessary to know its number. In essence, the column number is the serial number of the node in the network. If columns for the A and B are determined, then the intersection is calculated using the AND operation (logical AND). Binary units at respective positions of the result column point at the keys from the intersection. The column number can be easily associated with the unique node identifier at the stage of deploying the network. Note that the non-interactive method has been realized in the KEDYS scheme.

Let us assume that k_(i) _(l) , . . . , k_(i) _(p) are the keys from the intersection. Then the common key is calculated as k_(AB)=H(k_(i) _(l) P . . . Pk_(i) _(p) ). The symbol P is introduced for denoting the concatenation of binary sequences. The common key k_(AB) is applied for establishing the secured interaction mode between the nodes A and B. In other words, encryption/decryption is carried out on this key, as well as calculation and verification of the message authentication code and other cryptographic data transformations.

At the stage of deploying the network, all nodes undergo registration in the registration center (RC). During the registration, various information is furnished to the node, which information is recorded into the node memory in the form of structured data set. As a result:

-   -   Each mesh-network node has the unique identifier including the         number of nodes in the network.     -   Each mesh-network node obtains the key block of the KEDYS scheme         together with respective column of the incidence matrix.     -   Each controlling node obtains, besides the key block of the         KEDYS scheme, the key set of the trivial scheme and the         broadcasting key.     -   Each mesh-network node (except for the controlling nodes)         obtains the final value of the hash-chain, as well as the start         length of the hash-chain (the number of iterations for obtaining         the final value).     -   Each controlling node obtains the start value of the hash-chain,         as well as the start length of the hash-chain (the number of         iterations for obtaining the final value).

Let us fix in greater detail on the RC structure. It is supposed that the RC consists of two parts. One its part is situated beyond the mesh-network (hereinafter, external RC). The purpose of the external RC is in initial registering, forming the unique identifier and recording this information into the node local memory. Note that the identifier concedes the authenticity verification. Another part of the RC is situated within the mesh-network (hereinafter, internal RC). The purpose of the internal RC is in forming the key blocks and authenticators and recording them into the node local memory. The identifier verification is performed in advance. The positive result of the verification means that this node has been undergone the registration in the external RC and has the right for connecting to the network. Otherwise, the node is denied in connection. It is possible to combine the functionality of the internal RC and DCCK.

The main purpose for updating the keys is in replacing the long-term keys in the node key blocks. Updating can affect both the whole mesh-network, e.g., updating the key pool, and the key blocks of individual nodes. The procedure for a updating the key blocks of individual nodes is started, when it is necessary to perform the disconnection of some amount of nodes. It is evident that in the case of updating the key blocks of all nodes except for certain ones, then the latter lose the possibility for establishing the secured interaction mode with other nodes, which will, in essence, mean their disconnection. The decision concerning the disconnection of any nodes can be made in accordance to the fact of their compromising or initiated by the mesh-network nodes themselves. Updating the key pool can be scheduled and performed periodically. The decision concerning the start of the procedure is made by one of the controlling nodes (hereinafter, initiator). Prior to the start of the updating procedure, the initiator generates the session key SK.

In order to perform updating the keys, it is necessary to find the coverage. It is a reminder that the coverage is some subset of keys included into the key blocks of all nodes except for disconnected ones. The solution of this problem is assigned to the initiator. In order to search the coverage it is necessary to know the identifiers of the nodes being disconnected. As a result of solving this problem for searching the coverage, the initiator obtains the list of numbers of some keys from the key pool. In the KEDYS scheme, each controlling node has only a portion of keys from the coverage. In order to obtain the missing portion it is necessary to collect the coalition of the controlling nodes. The initiator performs the encryption SK only on those keys from the coverage, which are in its possession. The ciphertexts obtained in the result of encryption SK on the missing keys from the coverage are sent by the nodes of the coalition. It is a reminder that the KEDYS scheme guarantees the existence of both the coverage and the coalition. As soon as all ciphertexts are collected, the initiator forms the broadcasting message for updating the key blocks. Each node capable to perform the decryption and obtain the SK can use it further for updating the long-term keys of its key block.

The initiator has two possibilities for forming the coalition from the controlling nodes. The first possibility is in using the service of the nearest neighbors. For example, the controlling nodes concentrated in the operational range of the direct connection. The second possibility is in using the broadcasting delivery.

In order for searching the coverage, the initiator calculates the missing columns of the incidence matrix. The initiator is capable for finding simply the coverage, if the incidence matrix is given and the numbers of columns of the disconnected nodes are known. Then the initiator encrypts the SK on the paired keys of the trivial scheme and delivers it to the nearest neighbors together with the list of the numbers of keys from the coverage. The nearest neighbors send the initiator in response the ciphertexts that are the SK encrypted on the keys from the coverage. If the initiator can not collect all such ciphertexts, then it proceeds to the broadcasting delivery mode. In this mode, the initiator forms the broadcasting message addressed to all controlling nodes and consisting from the ciphertext obtained as a result of decrypting the SK on the broadcasting key, as well as the list of numbers of keys from the coverage. In response, the controlling nodes send the necessary ciphertexts. The initiator performs the delivery of the broadcasting message until it collects all such ciphertexts.

Note that the initiator operates always with the ciphertexts and has no access to the long-term keys of the node coalition.

At the end stage, the initiator forms the following broadcasting message for updating the key blocks.

i₁, …  , i_(M), E_(k_(i₁))(SK), …  , E_(k_(i_(M)))(SK), c, E_(k_(SK))(h_(c − 1)), H(SK)

Let us explain the used designations.

i₁, . . . , i_(M) is the list of numbers of keys from the coverage.

k_(i) _(l) , . . . , k_(i) _(M) are keys from the coverage.

E_(k)(•) is the encryption function.

D_(K)(•) is such decryption function that p=D_(K)(E_(K)(p)).

H(•) is the cryptographic hash-function.

c is the current value of the length of the hash-chain.

h_(c-1) is such previous value of the hash-chain that H(h_(c-1))=h_(c), where h_(c) is the current value of the hash-chain.

k_(SK) = H(E_(k_(i₁))(SK)P…  PE_(k_(i_(M)))(SK))

is the value of the hash-function. The concatenation of all ciphertexts according to the number of keys in the coverage is used as the argument.

The initiator can perform the delivery of the broadcasting message itself, or can use the service of other controlling nodes.

The mesh-network node obtains the SK by means of decryption, ascertains in its authenticity, and then performs the updating of this node's key block. For this end, each mesh-network node carries out in series the steps of:

-   -   Determining the number i_(q) from the list i_(l), . . . , i_(M)         of numbers such that the key k_(i) _(q) is included in the key         block of this node.     -   Performing the decryption of the ciphertext

E_(k_(i_(q)))(SK)

-   -    for the purpose of obtaining the candidate key

SK^(′) = D_(k_(i_(q)))(E_(k_(i_(q)))(SK)).

-   -   Performing the verification of the candidate key H (SK′)=H(SK).         If the result is positive, then SK′=SK, and the session key is         recovered right.     -   Calculating value of the hash-function

H(E_(k_(i₁))(SK)P…  PE_(k_(i_(M)))(SK))

-   -    and then performing the decryption of the ciphertext E_(k)         _(SK) (h_(c-1)) in order for obtaining

h_(c − 1)^(′) = D_(H(E_(k_(i₁))(SK)P…  PE_(k_(i_(M)))(SK)))(E_(k_(SK))(h_(c − 1))).

-   -   Checking H(h′_(c-1))=h_(c), where h_(c) is the value of the         hash-chain stored previously on the node local memory. The         positive result of this check gives evidence of the message         authenticity for updating the key block. Confirmation of the         authenticity is the basis for updating the key block and storing         h′_(c-1)=h_(c-1) instead of h_(c) and c−1 instead of c in the         node local memory.

The step of updating the key block is carried out by updating every key included into this block. The updated key having the number i is calculated as k′_(i)=H(k_(i)PSK).

In the course of time, the status of the mesh-network nodes can vary: some nodes can be disconnected from the network, for example, because of their compromising. Connection of new nodes is also possible.

The initiator makes the decision for disconnecting the node(s) and starts the procedure for updating the key blocks. Upon successful updating, the controlling nodes record the numbers of columns of the incidence matrix of the disconnected nodes into the special database. Prior to carry out any operation for changing the node status, the DCCK collates the node identifier in the database. For example, a newly connected node will be denied in service, if its number is found out in the list of numbers of the disconnected nodes.

For connecting a new node, the special procedure is started.

At the start stage, the challenger node must address the external RC for the purpose of carrying out the registration and obtaining a unique identifier. It is a reminder that identifiers concede the authenticity verification.

In order for a valid connection, the challenger node must obtain a key block, as well as authenticators for verifying the authenticity of messages of the controlling nodes. To this end, a special data transmission channel of restricted radius of action is provided [12]. For designating such a channel, English-language publications use the term “location-limited channel”. Such a channel can be realized, for example, on the basis of the proximity technology having the distance range of three to seventy centimeters depending on the Standard and Class. Use of such channel allows preventing the private information leakage.

The key block is recorded into the local memory of the challenger node in the result of its interaction with the controlling nodes. A data transmission session is started only when the challenger node is positioned in close vicinity to a controlling node, within the radius of action of the data transmission channel. Mobile nodes are capable to carry out the positioning themselves. Prior to start loading the keys, the controlling node performs the identifier authenticity verification for the challenger node. Confirmation of the authenticity means that the challenger node has come through the preliminary registration in the external RC and has the right for obtaining the keys.

In the result of one session, only a portion of information is recorded into the local memory of the challenged node. The complete key block is formed in the result of interaction with a certain coalition of the DCCK controlling nodes. Note that the challenger node obtains the key from the block in encrypted form. In so doing, the challenger node is capable to perform decryption and obtain the key block only providing that it will collect all such ciphertexts, according to the number of the long-term keys in the key block. Thus, the step of forming the key block is carried out in accordance with the principle “all or none”. This means, for example that the challenger node cannot perform decryption of the key block and, as a consequence, will not be connected, is at least one controlling node of the coalition refuses to provide information, or provides certainly corrupted information. In essence, the controlling nodes vote for connecting the challenger node, while providing the information. The KEDYS scheme guarantees that an arbitrary coalition of the controlling nodes is capable for forming the key block of the challenger node. Moreover, the KEDYS scheme guarantees that for the mesh-network having an arbitrary number of nodes, it is always possible to build such a DCCK that a necessary amount of coalitions of the predetermined power exists in that network.

It is possible to disconnect a node by reason of distorting the synchronization, power source fault, and other reasons. In order for recovering the status, the mesh-network node must address to the controlling nodes with the request for forming a key block. Decision on recovering the status is made in accordance with the result of identifier verification in the database. In the case of the positive decision, the step of forming the key block is carried out similarly to the step of forming the key block for the node being newly connected.

Let us give the description of the distributed key control system based on the preliminary key distribution.

Assumed is a mesh-network having an arbitrary topology. DCCK consisting of plurality of controlling nodes is deployed in the mesh-network. The DCCK controlling nodes have a possibility to deliver messages to mesh-network nodes by means of transmitting said messages via a broadcasting communication channel in accordance with the principle “on message for all”. The DCCK controlling nodes are capable to establish a direct connection with an arbitrary mesh-network node. The mesh-network nodes have a possibility to receive messages transmitted via the broadcasting communication channel, as well as a possibility to receive/transmit messages in the result of establishing the direct connection with the nearest neighbor nodes. It is also assumed that the DCCK operates as the internal RC.

At the stage of the initial registration, the external RC is invoked. The external RC has an executive processor circuit, memory and additional interface for the direct access to the local memory of the mesh-network nodes, herewith:

-   -   the external RC is configured for forming, by means of said         executive processor circuit, a unique identifier conceded the         authenticity verification;     -   the external RC is configured for recording the formed         identifier by means of said interface of the direct access to         the local memory of the mesh-network node.

At the stage of deploying the network, the TC is invoked. The TC has an executive processor circuit, memory, random (or pseudorandom) number generator and additional interface for a direct access to the local memory of the mesh-network nodes, herewith:

-   -   the TC is configured for forming, by means of said executive         processor circuit, an incidence matrix of the KEDYS scheme;     -   the TC is configured for forming, by means of said executive         processor circuit, an incidence matrix of the trivial scheme;     -   the TC is configured for generating long-term keys using said         random (or pseudorandom) number generator;     -   the TC is configured for recording, by means of said interface         for a direct access to the local memory of the mesh-network         node, as well as by means of the DCCK controlling node, the         formed key block of the KEDYS scheme and the corresponding         column of the incidence matrix;     -   the TC is configured for recording, by means of said interface         for a direct access to the local memory of the mesh-network         node, the formed key block of the trivial scheme and the         broadcasting key;     -   the TC is configured for generating the start value of the         hash-chain by means of said random (or pseudorandom) number         generator;     -   the TC is configured for forming the final value of the         hash-chain by means of said executive processor circuit;     -   the TC is configured for recording the formed authenticator by         means of said interface for a direct access to the local memory         of the mesh-network node;     -   the TC is configured for recording the formed start value of the         hash-chain by means of said interface for a direct access to the         local memory of the DCCK controlling node.

The DCCK controlling nodes have an executive processor circuit, memory and transceiver, random (or pseudorandom) number generator, and also an interface of the data transmission channel of restricted radius of action, herewith:

-   -   the DCCK controlling nodes are configured for storing, deriving         and recording the identifiers of disconnected mesh-network nodes         into the database by means of said executive processor circuit         and memory;     -   the DCCK controlling nodes are configured for exchanging         messages with other mesh-network nodes, including the         controlling nodes, by the way of receiving/transmitting thereof         by means of said transceiver;     -   the DCCK controlling nodes are configured for generating the         session key using said random (or pseudorandom) number         generator;     -   the DCCK controlling nodes are configured for calculating, by         means of said executive processor circuit, a column of the         incidence matrix of arbitrary node in accordance with the         identifier thereof;     -   the DCCK controlling nodes are configured for calculating a         coverage by means of said executive processor circuit;     -   the DCCK controlling nodes are configured for encrypting, by         means of said executive processor circuit, the session key on         the keys from the coverage;     -   the DCCK controlling nodes are configured for encrypting, by         means of said executive processor circuit, the session key on         the paired keys of the trivial scheme or on the broadcasting key         for address or broadcasting delivery by means of said         transceiver to other DCCK controlling nodes involved into a         virtual coalition;     -   the DCCK controlling nodes are configured for receiving, by         means of said transceiver, the ciphertexts from other DCCK         controlling nodes involved into the virtual coalition;     -   the DCCK controlling nodes are configured for uniting, by means         of said executive processor circuit, the ciphertexts received         from other DCCK controlling nodes involved into the virtual         coalition, on order for forming a broadcasting message for         updating the key blocks;     -   the DCCK controlling nodes are configured for delivering, by         means of said transceiver, the broadcasting message for updating         the key blocks;     -   the DCCK controlling nodes are configured for receiving, by         means of said interface of the data transmission channel of         restricted radius of action, the identifier of the mesh-network         node pretending to a connection to the network;     -   the DCCK controlling nodes are configured for verifying, by         means of said executive processor circuit, the identifier of the         mesh-network node pretending to a connection to the network;     -   the DCCK controlling nodes are configured for transmitting the         long-term keys from the key block thereof by means of said         interface of the data transmission channel of restricted radius         of action.

Each mesh-network node has an executive processor circuit, memory and transceiver, and also an interface of the data transmission channel of restricted radius of action, herewith:

-   -   the mesh-network nodes are configured for calculating, by means         of said executive processor circuit, a column of the incidence         matrix of arbitrary node in accordance with the identifier         thereof;     -   the mesh-network nodes are configured for forming, by means of         said executive processor circuit, a common private key on the         basis of the calculated column of the incidence matrix of the         recipient node and the key block of the node itself;     -   the mesh-network nodes are configured for encrypting/decrypting,         by means of said executive processor circuit, a valuable         information on the common private key;     -   the mesh-network nodes are configured for transmitting the         formed message by means of said transceiver;     -   the mesh-network nodes are configured for receiving, by means of         said transceiver, broadcasting messages from the DCCK         controlling nodes;     -   the mesh-network nodes are configured for verifying, by means of         said executive processor circuit, the authenticity of the         received broadcasting messages from the DCCK controlling nodes         and succeeding decryption thereof;     -   the mesh-network nodes are configured for forming, by means of         said executive processor circuit, an updated key block on the         basis of the session key;     -   the mesh-network nodes are configured for receiving, by means of         said interface of the data transmission channel of restricted         radius of action, the long-term keys from the key block of the         DCCK controlling node.

It should be noted that in the context of the described method, the term “configured for” implies that said structure solutions are already known, and when realizing the method, only their rational use is provided for achieving the desired results.

FIG. 1 depicts the block diagram of the distributed key control system on the basis of the preliminary key distribution scheme according to the invention. Here, the infrastructure of the distributed key control on the basis of the preliminary key distribution scheme consists of mesh network nodes, external registration center (RC) 2, trusted center (TC) 3, distributed center 4 for controlling keys (DCCK) combined with internal registration center.

The DCCK is formed by an aggregate of the controlling nodes. In so doing, the RC has an executive processor circuit 5, memory 6 and additional interface 7 for a direct access to the local memory of the mesh-network nodes. The TC has an executive processor circuit 7, memory 8, random (or pseudorandom) number generator 9 and additional interface 10 for a direct access to the local memory of the mesh-network nodes.

Each DCCK controlling node 4 has an executive processor circuit 11, memory 12, transceiver 13, random (or pseudorandom) number generator 14 and interface 15 of the data transmission channel of restricted radius of action.

Each mesh-network node 16 has an executive processor circuit 17, memory 18, transceiver 19 and interface 20 of the data transmission channel of restricted radius of action. All mesh-network nodes including the controlling ones are connected to a wireless data transmission channel 21.

The method for distributed key control on the basis of preliminary key distribution at the stage of the initial registration is boiled down to the steps of:

-   -   forming, by the external RC, a unique identifier of the         mesh-network node;     -   recording, by the external RC, the unique identifier into the         local memory of the mesh-network node.

It is essential for the usage method at the stage of the initial registration that the unique identifier permits to perform the verification of its authenticity.

The method for distributed key control on the basis of preliminary key distribution at the stage of deploying the mesh-network is boiled down to the steps of:

-   -   forming, by the TC, an incidence matrix of the KEDYS scheme;     -   forming, by the TC, an incidence matrix of the trivial scheme;     -   generating, by the TC, long-term keys;     -   recording, by the TC, the formed key block of the KEDYS scheme         and the corresponding column of the incidence matrix into the         local memory of the mesh-network node, and also into the local         memory of the DCCK controlling node;     -   recording, by the TC, the key block of the trivial scheme and         the broadcasting key into the local memory of the DCCK         controlling node;     -   generating, by the TC, the start value of the hash-chain;     -   calculating, by the TC, the final value of the hash-chain;     -   recording, by the TC, the authenticator into the local memory of         the mesh-network node;     -   recording, by the TC, the start value of the hash-chain in to         the local memory of the DCCK controlling node.

It is essential for the usage method at the stage of deploying the network that the TC is configured for generating the incidence matrix of the KEDYS scheme, and the key block of the KEDYS scheme together with the corresponding column of the incidence matrix is recorded into the local memory of the mesh-network node and into the local memory of the controlling node.

The method for distributed key control on the basis of preliminary key distribution in the case of disconnecting the mesh-network nodes is boiled down to the steps of:

-   -   collating, using the DCCK controlling node, the identifier of         the node being disconnected in the database and making the         decision on the disconnection;     -   recording, using the DCCK controlling node, the identifier of         the node being disconnected into the database;     -   generating, using the DCCK controlling node, a session key;     -   calculating, using the DCCK controlling node, the incidence         matrix of the KEDYS scheme;     -   calculating, using the DCCK controlling node, a coverage;     -   encrypting, using the DCCK controlling node, the session key on         the paired keys of the trivial scheme or on the broadcasting         key;     -   delivering, using the DCCK controlling node, the ciphertexts,         which are the session key encrypted on the paired keys of the         trivial scheme or on the broadcasting key;     -   receiving, using the DCCK controlling node, the ciphertexts,         which are the session key encrypted on the long-term keys from         the coverage;     -   encrypting, using the DCCK controlling node, the session key on         the keys that are included in the key block thereof;     -   forming, using the DCCK controlling node, a broadcasting message         for updating the key blocks;     -   delivering, using the DCCK controlling node, the broadcasting         message for updating the key blocks;     -   receiving, using the mesh-network node, the broadcasting message         from the DCCK controlling node;     -   verifying, using the mesh-network node, the authenticity of the         broadcasting message;     -   decrypting, using the mesh-network node, the broadcasting         message in order to obtain the session key;     -   updating, using the mesh-network node, the key block by means of         the session key.

It is essential for the claimed method at the stage of disconnecting the mesh-network nodes that the DCCK controlling nodes are configured for generating the incidence matrix of the KEDYS scheme, as well as for searching the coverage for the KEDYS scheme.

The method for distributed key control on the basis of preliminary key distribution in the case of connecting new mesh-network nodes is boiled down to the steps of:

-   -   verifying, by the DCCK controlling node, the authenticity of the         node pretending to a connection to the network;     -   transmitting, by the DCCK controlling node, the long-term keys         from the key block via the data transmission channel of         restricted radius of action;     -   receiving, by the node pretending to a connection to the         network, the long-term keys from the DCCK controlling node via         the data transmission channel of restricted radius of action.

It is essential for the claimed method at the stage of connecting new mesh-network nodes that the DCCK controlling nodes are configured for transmitting the long-term keys from the key block via the data transmission channel of restricted radius of action.

The method for distributed key control on the basis of preliminary key distribution in the case of establishing the secured mode of interaction of the pair mesh-network nodes is boiled down to the steps of:

-   -   calculating, by the sender node, a column of the incidence         matrix of the sender node in accordance with the identifier         thereof;     -   forming, by the sender node, a common private key on the basis         of the calculated column of the incidence matrix of the         recipient node and the key block of the sender node;     -   encrypting, by the sender node, a valuable information on the         common private key;     -   sending, by the sender node, the formed message to the recipient         node address;     -   receiving, by the recipient node, the formed messages;     -   calculating, by the recipient node, a column of the incidence         matrix of the sender node in accordance with the identifier         thereof;     -   forming, by the recipient node, the common private key on the         basis of the column of the incidence matrix of the sender node         and the key block of the recipient node;     -   decrypting, by the recipient node, the ciphertext from the         message on the common private key.

It is essential for the claimed method at the stage of establishing the secured mode of interaction of the pair mesh-network nodes that the mesh-network nodes are configured for calculating columns of the incidence matrix of the KEDYS scheme.

For providing the more sophisticated understanding of the claimed technical solution, FIG. 2 and FIG. 3 being the continuation of the FIG. 2 show the algorithm of realization of the method for using the infrastructure of the distributed key control on the basis of the preliminary key distribution scheme. Herewith, the sequence of the operation steps is designated with the reference numbers 201 to 235.

Thus, within the scope of the claimed invention is ensured the creating and operating of the infrastructure of the distributed key control on the basis of the preliminary key distribution scheme for the mesh-networks, which infrastructure does not require a great memory volume for storing the key block and key pool, possesses a low computational labor intensity, permits for using effectively the communication channel capacity, guarantees the provision of the security services in the case of capturing or destroying individual nodes, thus ensuring the network viability.

It should be appreciated that aforecited embodiments of the invention are set forth for the purposes of illustration only, and it is clear for those skilled in the art that various modifications, additions and substitutions are possible without departing from the scope and spirit of the present invention disclosed in the specification, drawings and claims.

REFERENCES

-   [1] I. F. Akyildiz, X. Wang, W. Wang. Wireless mesh networks: a     survey. http://www.sciencedirect.com/. -   [2] Ronald L. Rivest, Adi Shamir, and Leonard Adleman. A method for     obtaining digital signature and public-key cryptosystems.     Communication of the ACM, 21(2): 120-126, 1978. (CM. Tak     e U.S. Pat. No. 4,405,829). -   [3] R. Blom. An Optimal Class of Symmetric Key Generation     Systems.—In: Advances in Cryptology—EUROCRYPT'84, LNCS 209, 1985,     335-338. -   [4] C. J. Mitchell, F. C. Piper. Key Storage in Secure Networks.     Discrete Applied Mathematics, vol. 21(3), 1988, 215-228. -   [5] L. Gong, D. J. Wheeler. A Matrix Key Distribution     Scheme.—Journal of Cryptology, vol. 2(2), 1990, 51-59. -   [6] M. Dyer, T. Fenner, A. Frieze, and A. Thomason. On Key Storage     in Secure Networks.—Journal of Cryptology, vol. 8(4), 1995, 189-199. -   [7] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro     and M. Yung. Perfectly Secure Key Distribution for Dynamic     Conferences.—In: Advances in Cryptology—CRYPTO'92, LNCS 740, 1993,     471-486. -   [8] K. A. S. Quinn. Bounds for Key Distribution Patterns.—Journal of     Cryptology, vol. 12(4), 1999, 227-240. -   [9] D. R. Stinson. On Some Methods for Unconditionally Secure Key     Distribution and Broadcast Encryption.—Designs, Codes and     Cryptography, vol. 12(3), 1997, 215-243. -   [10] L. Eschenauer, V. Gligor. A Key Management Scheme for     Distributed Sensor Networks.—Proceedings of the 9-th ACM conference     CCS2002, 2002, 41-47. -   [11] J. Lee, D. Stinson. On the Construction of Practical Key     Predistribution Schemes for Distributed Sensor Networks using     Combinatorial Designs.—Technical rep. CACR 2005-40, Centre for     Applied Cryptographic Research, University of Waterloo, 2005.     http://www.cacr.math.uwaterloo.ca/techreports/2005/tech_reports2005.html. -   [12] Dirk Balfanz, D. K. Smetters, Paul Stewart, and H. Chi Wong.     Talking to Strangers: Authentication in Ad-Hoc Wireless Networks.     Proceedings of the 2002 Network and Distributed Systems Security     Symposium (NDSS'02). The Internet Society. San Diego, Calif.     February 2002. -   [13] N. Haller. The S/KEY One-Time Password System. Proceedings of     the ISOC Symposium on Network and Distributed System Security,     February 1994, San Diego, Calif. -   [14] N. Haller. The S/KEY One-Time Password System. RFC 1760,     February 1995. -   [15] N. Haller, Metz C. A One-Time Password System. RFC 1938, May     1996. -   [16] N. Haller, C. Metz, P. Nesser, M. Straw. A One-Time Password     System. RFC 2289, February 1998. -   [17] US 2006/0023887 A1. -   [18] RU 2004103558 A1. -   [19] US 2005/0177751 A1. 

1. A method of distributed key control on the basis of the preliminary key distribution scheme, which method including steps of: forming, by an external registration center, a unique identifier of mesh-network node; recording, by the external registration center, the unique identifier into a local memory of the mesh-network node; forming, by a trusted center, an incidence matrix of the KEDYS scheme; forming, by the trusted center, an incidence matrix of trivial scheme; generating, by the trusted center, long-term private keys; recording, by the trusted center, the formed key block of the KEDYS scheme and the corresponding column of the incidence matrix into the local memory of the mesh-network node; recording, by the trusted center, the formed key block of the KEDYS scheme and the corresponding column of the incidence matrix into the local memory of controlling node of distributed center for controlling keys; recording, by the trusted center, the formed key block of the trivial scheme and a broadcasting key into the local memory of the controlling node of the distributed center for controlling keys; generating, by the trusted center, a start value of hash-chain; calculating, by the trusted center, a final value of the hash-chain; recording, by the trust center, an authenticator into the local memory of the mesh-network node; recording, by the trusted center, the start value of the hash-chain into the local memory of the controlling node of the distributed center for controlling keys; collating, by the controlling node of the distributed center for controlling keys, the identifier of a node being disconnected in a database and making decision on the disconnection; recording, by the controlling node of the distributed center for controlling keys, the identifier of the node being disconnected into the database; generating, by the controlling node of the distributed center for controlling keys, a session key; calculating, by the controlling node of the distributed center for controlling keys, the incidence matrix of the KEDYS scheme; calculating, by the controlling node of the distributed center for controlling keys, a coverage; encrypting, by the controlling node of the distributed center for controlling keys, the session key on paired keys of the trivial scheme or on the broadcasting key; delivering, by the controlling node of the distributed center for controlling keys, ciphertexts which are the session key encrypted on the paired keys of the trivial scheme or on the broadcasting key; receiving, by the controlling node of the distributed center for controlling keys, ciphertexts which are the session key encrypted on the long-term keys from the coverage; encrypting, by the controlling node of the distributed center for controlling keys, the session key on the keys from the coverage, which are a part of the key block thereof; forming, by the controlling node of the distributed center for controlling keys, a broadcasting message for updating key blocks; delivering, by the controlling node of the distributed center for controlling keys, the broadcasting message for updating key blocks; receiving, by the mesh-network node, the broadcasting message from the controlling node of distributed center for controlling keys; verifying, by the mesh-network node, the authenticity of the broadcasting message; decrypting, by the mesh-network node, the broadcasting message in order for obtaining a session key; updating, by the mesh-network node, the key block by means of the session key; calculating, by the sender node, the column of the incidence matrix of the recipient node in accordance with the identifier thereof; forming, by the sender node, the common private key on the basis of the column of the incidence matrix of the recipient node and the key block of the sender node; encrypting, by the sender node, a valuable information on the common private key; forming, by the sender node, a message on the basis of the received ciphertext; sending, by the sender node, the formed message at the address of the recipient node; receiving, by the recipient node, the formed message; calculating, by the recipient node, the column of the incidence matrix of the sender node in accordance with the identifier thereof; forming, by the recipient node, the common private key on the basis of the column of the incidence matrix of the sender node and the key block of the recipient node; decrypting, by the recipient node, a valuable information on the common private key.
 2. The method according to claim 1, characterized in that the external registration center is used for forming the unique identifier so that the controlling node of the distributed center for controlling keys could verify the authenticity thereof.
 3. The method according to claim 1, characterized in that the trusted center is used for generating the incidence matrix of the KEDYS scheme.
 4. The method according to claim 1, characterized in that the trusted center is used for recording the key block of the KEDYS scheme together with the corresponding column of the incidence matrix into the local memory of the mesh-network node.
 5. The method according to claim 1, characterized in that trusted center is used for recording the key block of the KEDYS scheme together with the corresponding column of the incidence matrix into the local memory of the controlling node of the distributed center for controlling keys.
 6. The method according to claim 1, characterized in that the controlling nodes of the distributed center for controlling keys are used for generating the incidence matrix of the KEDYS scheme.
 7. The method according to claim 1, characterized in that the controlling nodes of the distributed center for controlling keys are used for searching the coverage for the KEDYS scheme.
 8. The method according to claim 6, characterized in that the mesh-network nodes are used for calculating an arbitrary column of the incidence matrix of the KEDYS scheme in accordance with the predetermined identifier. 